CVE-2025-59465

HIGH7.5

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node

Published Jan 20, 2026

Modified 1 months ago

Details

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:

server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})

Affected Packages

Node.js

Windows 10 (1507)Windows 10 (1607) / Server 2016Windows 10 (1809) / Server 2019Windows 10 (1903)Windows 10 (1909)

References

WEB

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2025-59465

CVSS Analysis

CVSS v3.0

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ecosystems(17)

Windows 10 (1507)Windows 10 (1607) / Server 2016 Windows 10 (1809) / Server 2019 Windows 10 (1903)Windows 10 (1909)

Timeline

PublishedJan 20, 2026

ModifiedJan 21, 2026

CVE-2025-59465 | Mondoo Vulnerability Intelligence